budget/.gitea/workflows/build.yaml

name: Build and Push

on:
  push:
    branches:
      - main
      - develop
    tags:
      - 'v*'

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          cache-binary: false

      - name: Determine image name and tags
        id: meta
        env:
          # Pass context values through env so the workflow templater does not
          # interpolate them into the script body (prevents shell injection via
          # attacker-controlled ref names). Shell vars below are NOT templated.
          REF_TYPE: ${{ gitea.ref_type }}
          REF_NAME: ${{ gitea.ref_name }}
          REPOSITORY: ${{ gitea.repository }}
          SHA: ${{ gitea.sha }}
          REGISTRY: ${{ vars.REGISTRY }}
        run: |
          # Image names must be lowercase; lowercase the full owner/name path.
          IMAGE="${REGISTRY}/$(echo "$REPOSITORY" | tr '[:upper:]' '[:lower:]')"
          echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
          if [ "$REF_TYPE" = "tag" ]; then
            # Reject tags that aren't clean semver-ish refs.
            case "$REF_NAME" in
              v[0-9]*) : ;;
              *) echo "Refusing to build non-version tag: $REF_NAME" >&2; exit 1 ;;
            esac
            echo "is_release=true" >> "$GITHUB_OUTPUT"
            echo "version=$REF_NAME" >> "$GITHUB_OUTPUT"
          else
            SHORT_SHA="$(echo "$SHA" | cut -c1-8)"
            echo "is_release=false" >> "$GITHUB_OUTPUT"
            echo "version=dev-${SHORT_SHA}" >> "$GITHUB_OUTPUT"
          fi

      - name: Log in to Gitea registry
        if: steps.meta.outputs.is_release == 'true'
        env:
          # The job image (node:20-bullseye) has no docker CLI, so docker/login-action
          # can't run. buildx reads ~/.docker/config.json directly, so write the auth
          # there ourselves. Secrets via env keep them out of the templated script.
          REGISTRY: ${{ vars.REGISTRY }}
          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
        run: |
          mkdir -p "$HOME/.docker"
          AUTH="$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_PASSWORD" | base64 -w0)"
          printf '{"auths":{"%s":{"auth":"%s"}}}' "$REGISTRY" "$AUTH" > "$HOME/.docker/config.json"

      - name: Build and push release image
        if: steps.meta.outputs.is_release == 'true'
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: |
            ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }}
            ${{ steps.meta.outputs.image }}:latest

      - name: Build dev image (no push)
        if: steps.meta.outputs.is_release == 'false'
        uses: docker/build-push-action@v5
        with:
          context: .
          push: false
          tags: ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }}